[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
master f165887819: Check for integer overflow when writing Motif targets
|
From: |
Po Lu |
|
Subject: |
master f165887819: Check for integer overflow when writing Motif targets tables |
|
Date: |
Tue, 19 Apr 2022 21:11:37 -0400 (EDT) |
branch: master
commit f165887819e81013638fa599ecb94ea27c53811f
Author: Po Lu <luangruo@yahoo.com>
Commit: Po Lu <luangruo@yahoo.com>
Check for integer overflow when writing Motif targets tables
* src/xterm.c (xm_setup_dnd_targets): Check for integer overflow
when adding list to target table.
---
src/xterm.c | 58 +++++++++++++++++++++++++++++++++++++++++++++++-----------
1 file changed, 47 insertions(+), 11 deletions(-)
diff --git a/src/xterm.c b/src/xterm.c
index 03d5a503f8..92c8ac09c9 100644
--- a/src/xterm.c
+++ b/src/xterm.c
@@ -1488,7 +1488,6 @@ xm_get_drag_window (struct x_display_info *dpyinfo)
return drag_window;
}
-/* TODO: overflow checks when inserting targets. */
static int
xm_setup_dnd_targets (struct x_display_info *dpyinfo,
Atom *targets, int ntargets)
@@ -1503,6 +1502,7 @@ xm_setup_dnd_targets (struct x_display_info *dpyinfo,
xm_byte_order byteorder;
uint8_t *data;
ptrdiff_t total_bytes, total_items, i;
+ uint32_t size, target_count;
drag_window = xm_get_drag_window (dpyinfo);
@@ -1609,19 +1609,55 @@ xm_setup_dnd_targets (struct x_display_info *dpyinfo,
if (idx == -1)
{
- header.target_list_count++;
- header.total_data_size += 2 + ntargets * 4;
+ target_count = header.target_list_count;
+ rc = false;
- recs[header.target_list_count - 1]
- = xmalloc (FLEXSIZEOF (struct xm_targets_table_rec,
- targets, ntargets * 4));
- recs[header.target_list_count - 1]->n_targets = ntargets;
+ if (INT_ADD_WRAPV (header.target_list_count, 1,
+ &header.target_list_count)
+ || INT_MULTIPLY_WRAPV (ntargets, 4, &size)
+ || INT_ADD_WRAPV (header.total_data_size, size,
+ &header.total_data_size)
+ || INT_ADD_WRAPV (header.total_data_size, 2,
+ &header.total_data_size))
+ {
+ /* Overflow, remove every entry from the targets table
+ and add one for our current targets list. This
+ confuses real Motif but not GTK 2.x, and there is no
+ other choice. */
- for (i = 0; i < ntargets; ++i)
- recs[header.target_list_count - 1]->targets[i] = targets_sorted[i];
+ for (i = 0; i < target_count; ++i)
+ xfree (recs[i]);
- idx = header.target_list_count - 1;
- rc = false;
+ xfree (recs);
+
+ header.byte_order = XM_BYTE_ORDER_CUR_FIRST;
+ header.protocol = 0;
+ header.target_list_count = 1;
+ header.total_data_size = 8 + 2 + ntargets * 4;
+
+ recs = xmalloc (sizeof *recs);
+ recs[0] = xmalloc (FLEXSIZEOF (struct xm_targets_table_rec,
+ targets, ntargets * 4));
+
+ recs[0]->n_targets = ntargets;
+
+ for (i = 0; i < ntargets; ++i)
+ recs[0]->targets[i] = targets_sorted[i];
+
+ idx = 0;
+ }
+ else
+ {
+ recs[header.target_list_count - 1]
+ = xmalloc (FLEXSIZEOF (struct xm_targets_table_rec,
+ targets, ntargets * 4));
+ recs[header.target_list_count - 1]->n_targets = ntargets;
+
+ for (i = 0; i < ntargets; ++i)
+ recs[header.target_list_count - 1]->targets[i] =
targets_sorted[i];
+
+ idx = header.target_list_count - 1;
+ }
}
}
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- master f165887819: Check for integer overflow when writing Motif targets tables,
Po Lu <=